From b4f63879f2a5cf0578101591f26471238f944e9c Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:46:03 +0200
Subject: [PATCH xserver 4/7] os: Account for bytes to ignore when sharing
 input buffer

When reading requests from the clients, the input buffer might be shared
and used between different clients.

If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.

To avoid the issue, make sure we have zero bytes to ignore left in the
input request when sharing the input buffer with another client.

CVE-2025-49178

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2)

Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
---
 os/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/os/io.c b/os/io.c
index de5b3c921..b7f2750b5 100644
--- a/os/io.c
+++ b/os/io.c
@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
      */
 
     gotnow -= needed;
-    if (!gotnow)
+    if (!gotnow && !oci->ignoreBytes)
         AvailableInput = oc;
     if (move_header) {
         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
-- 
2.49.0